Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-17 22:48:32 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [master] 9 pages and one asset modified

Browse source
This commit is contained in:
CPol 2021-08-01 15:57:36 +00:00 committed by gitbook-bot
parent 4d1d6880f9
commit 1fa4bfa885
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
6 changed files with 39 additions and 45 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

BIN
.gitbook/assets/image (253) (1) (2) (1) (1) (2).png Normal file
View file

Binary file not shown.
Side by side

After

Width:  |  Height:  |  Size: 40 KiB

2
SUMMARY.md
View file

@ -139,7 +139,7 @@
* [content:// protocol](mobile-apps-pentesting/android-app-pentesting/content-protocol.md)
* [Drozer Tutorial](mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/README.md)
* [Exploiting Content Providers](mobile-apps-pentesting/android-app-pentesting/drozer-tutorial/exploiting-content-providers.md)
* [Exploiting a debuggable application](mobile-apps-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md)
* [Exploiting a debuggeable applciation](mobile-apps-pentesting/android-app-pentesting/exploiting-a-debuggeable-applciation.md)
* [Frida Tutorial](mobile-apps-pentesting/android-app-pentesting/frida-tutorial/README.md)
* [Frida Tutorial 1](mobile-apps-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-1.md)
* [Frida Tutorial 2](mobile-apps-pentesting/android-app-pentesting/frida-tutorial/frida-tutorial-2.md)

4
about-the-author.md
View file

@ -4,7 +4,7 @@
This is **Carlos Polop**.
First of all, I want to indicate that **I don't own this entire book**, a lot of **information was copy/pasted from other websites and that content belongs to them** \(this is indicated on the copy/pasted content\).
First of all, I want to indicate that **I don't own this entire book**, a lot of **information was copy/pasted from other websites and that content belongs to them** \(this is indicated on the pages\).
I also wants to say **thanks to all the people that share cyber-security related information for free** on the Internet. Thanks to them I learn new hacking techniques that then I add to Hacktricks.
@ -12,7 +12,7 @@ I also wants to say **thanks to all the people that share cyber-security related
If for some weird reason you are interested in knowing about my bio here you have a summary:
* I've worked in different companies as sysadmin, developer and **pentester** \(which is my current role\).
* I've worked in different companies as sysadmin, developer and **pentester**.
* I'm a **Telecommunications Engineer** with a **Masters** in **Cybersecurity**
* Relevant certifications: **OSCP, OSWE**, **CRTP, eMAPT, eWPTXv2** and Professional Drone pilot.
* I speak **Spanish** and **English** and little of French \(some day I will improve that\).

8
cloud-security/cloud-security-review.md
View file

@ -49,7 +49,7 @@ It is recommended to **install azure-cli** in a **linux** and **windows** virtua
Then, run `az login` to login. Note the **account information** and **token** will be **saved** inside _<HOME>/.azure_ \(in both Windows and Linux\).
Remember that if the **Security Centre Standard Pricing Tier** is being used and **not** the **free** tier, you can **generate** a **CIS compliance scan report** from the azure portal. Go to _Policy & Compliance-> Regulatory Compliance_ \(or try to access [https://portal.azure.com/\#blade/Microsoft\_Azure\_Security/SecurityMenuBlade/22](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/22)\).
__If the company is not paying for a Standard account you may need to review the **CIS Microsoft Azure Foundations Benchmark** by "hand" \(you can get some help using the following tools\). Download it from [**here**](https://www.newnettechnologies.com/cis-benchmark.html?keyword=&gclid=Cj0KCQjwyPbzBRDsARIsAFh15JYSireQtX57C6XF8cfZU3JVjswtaLFJndC3Hv45YraKpLVDgLqEY6IaAhsZEALw_wcB#microsoft-azure).
\_\_If the company is not paying for a Standard account you may need to review the **CIS Microsoft Azure Foundations Benchmark** by "hand" \(you can get some help using the following tools\). Download it from [**here**](https://www.newnettechnologies.com/cis-benchmark.html?keyword=&gclid=Cj0KCQjwyPbzBRDsARIsAFh15JYSireQtX57C6XF8cfZU3JVjswtaLFJndC3Hv45YraKpLVDgLqEY6IaAhsZEALw_wcB#microsoft-azure).
### Run scanners
@ -94,7 +94,9 @@ azscan #Run, login before with `az login`
* **Standard tier** is recommended instead of free tier \(see the tier being used in _Pricing & Settings_ or in [https://portal.azure.com/\#blade/Microsoft\_Azure\_Security/SecurityMenuBlade/24](https://portal.azure.com/#blade/Microsoft_Azure_Security/SecurityMenuBlade/24)\)
* **Periodic SQL servers scans**:
_Select the SQL server_ --> _Make sure that 'Advanced data security' is set to 'On'_ --> _Under 'Vulnerability assessment settings', set 'Periodic recurring scans' to 'On', and configure a storage account for storing vulnerability assessment scan results_ --> _Click Save_
* **Lack of App Services restrictions**: Look for "App Services" in Azure \([https://portal.azure.com/\#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites](https://portal.azure.com/#blade/HubsExtension/BrowseResource/resourceType/Microsoft.Web%2Fsites)\) and check if anyone is being used. In that case check go through each App checking for "Access Restrictions" and there aren't rules, report it. The access to the app service should be restricted according to the needs.
## Office365
@ -105,7 +107,3 @@ You need **Global Admin** or at least **Global Admin Reader** \(but note that Gl
Get objects in graph: [https://github.com/FSecureLABS/awspx](https://github.com/FSecureLABS/awspx)

20
mobile-apps-pentesting/android-app-pentesting/README.md
View file

@ -19,7 +19,7 @@ It's highly recommended to start reading this page to know about the **most impo
This is the main tool you need to connect to an android device \(emulated or physical\).
It allows you to control your device over **USB** or **Network** from a computer, **copy** files back and forth, **install** and uninstall apps, run **shell** commands, perform **backups**, read **logs** and more.
Take a look to the following list of [**ADB Commands**](adb-commands.md) ****to learn how to use adb.
Take a look to the following list of [**ADB Commands**](adb-commands.md) _\*\*_to learn how to use adb.
## Smali
@ -193,7 +193,7 @@ You can use some **emulator** like:
* [**Android Studio**](https://developer.android.com/studio) **\(**You can create **x86** and **arm** devices, and according to [**this** ](https://android-developers.googleblog.com/2020/03/run-arm-apps-on-android-emulator.html)**latest x86** versions **support ARM libraries** without needing an slow arm emulator\).
* If you want to try to **install** an **image** and then you want to **delete it** you can do that on Windows:`C:\Users\<User>\AppData\Local\Android\sdk\system-images\` or Mac: `/Users/myeongsic/Library/Android/sdk/system-image`
* This is the **main emulator I recommend to use and you can**[ **learn to set it up in this page**](avd-android-virtual-device.md).
* \*\*\*\*[**Genymotion**](https://www.genymotion.com/fun-zone/) ****\(_Free version: **Personal Edition**, you need to **create** an **account**._\)
* \*\*\*\*[**Genymotion**](https://www.genymotion.com/fun-zone/) **\*\*\(\_Free version:** Personal Edition**, you need to** create **an** account\*\*.\_\)
* \*\*\*\*[Nox](https://es.bignox.com/) \(Free, but it doesn't support Frida or Drozer\).
{% hint style="info" %}
@ -214,8 +214,6 @@ Or you could use a **physical** **device** \(you need to activate the debugging
4. Press **Build number** 7 times.
5. Go back and you will find the **Developer options**.
> Once you have installed the application, the first thing you should do is to try it and investigate what does it do, how does it work and get comfortable with it.
> I will suggest to **perform this initial dynamic analysis using MobSF dynamic analysis + pidcat**, so will will be able to **learn how the application works** while MobSF **capture** a lot of **interesting** **data** you can review later on.
@ -261,7 +259,7 @@ Drozer is s useful tool to **exploit exported activities, exported services and
### Exploiting exported Activities
\*\*\*\*[**Read this if you want to remind what is an Android Activity.**](android-applications-basics.md#launcher-activity-and-other-activities)
****Also remember that the code of an activity starts with the `onCreate` method.
_\*\*_Also remember that the code of an activity starts with the `onCreate` method.
#### Authorisation bypass
@ -296,7 +294,7 @@ Content providers are basically used to **share data**. If an app has available
### **Exploiting Services**
[**Read this if you want to remind what is a Service.**](android-applications-basics.md#services)
****Remember that a the actions of a Service start in the method `onStartCommand`.
_\*\*_Remember that a the actions of a Service start in the method `onStartCommand`.
As service is basically something that **can receive data**, **process** it and **returns** \(or not\) a response. Then, if an application is exporting some services you should **check** the **code** to understand what is it doing and **test** it **dynamically** for extracting confidential info, bypassing authentication measures...
[**Learn how to exploit Services with Drozer.**](drozer-tutorial/#services)\*\*\*\*
@ -304,7 +302,7 @@ As service is basically something that **can receive data**, **process** it and
### **Exploiting Broadcast Receivers**
[**Read this if you want to remind what is a Broadcast Receiver.**](android-applications-basics.md#broadcast-receivers)
****Remember that a the actions of a Broadcast Receiver start in the method `onReceive`.
_\*\*_Remember that a the actions of a Broadcast Receiver start in the method `onReceive`.
A broadcast receiver will be waiting for a type of message. Depending on ho the receiver handles the message it could be vulnerable.
[**Learn how to exploit Broadcast Receivers with Drozer.**](./#exploiting-broadcast-receivers)
@ -366,7 +364,7 @@ It's recommended to **apply SSL Pinning** for the sites where sensitive informat
First of all, you should \(must\) **install the certificate** of the **proxy** tool that you are going to use, probably Burp. If you don't install the CA certificate of the proxy tool, you probably aren't going to see the encrypted traffic in the proxy.
**Please,** [**read this guide to learn how to do install a custom CA certificate**](android-burp-suite-settings.md)**.**
For applications targeting **API Level 24+ it isn't enough to install the Burp CA** certificate in the device. To bypass this new protection you need to modify the Network Security Config file. So, you could modify this file to authorise your CA certificate or you can ****[**read this page for a tutorial on how to force the application to accept again all the installed certificate sin the device**](make-apk-accept-ca-certificate.md)**.**
For applications targeting **API Level 24+ it isn't enough to install the Burp CA** certificate in the device. To bypass this new protection you need to modify the Network Security Config file. So, you could modify this file to authorise your CA certificate or you can **\*\*\[**read this page for a tutorial on how to force the application to accept again all the installed certificate sin the device**\]\(make-apk-accept-ca-certificate.md\)**.\*\*
#### SSL Pinning
@ -403,8 +401,6 @@ This vulnerability resembles **Open Redirect in web security**. Since class `Int
Many developers make **use** of this **feature** and create **proxy** **components** \(activities, broadcast receivers and services\) that **take an embedded Intent and pass it to dangerous methods** like `startActivity(...)`, `sendBroadcast(...)`, etc.
This is dangerous because **an attacker can force the app to launch a non-exported component that cannot be launched directly from another app**, or to grant the attacker access to its content providers. **`WebView`** also sometimes changes a **URL from a string to an `Intent`** object, using the `Intent.parseUri(...)` method, and passes it to `startActivity(...)`.
### Android Client Side Injections and others
Probably you know about this kind of vulnerabilities from the Web. You have to be specially careful with this vulnerabilities in an Android application:
@ -483,7 +479,7 @@ receivers
**HTTP tools**
When http traffic is capture you can see an ugly view of the captured traffic on "**HTTP\(S\) Traffic**" bottom or a nicer view in "**Start HTTPTools**" green bottom. From the second option, you can **send** the **captured requests** to **proxies** like Burp or Owasp ZAP.
To do so, _power on Burp --&gt;_ _turn off Intercept --&gt; in MobSB HTTPTools select the request_ --&gt; press "**Send to Fuzzer**" --&gt; _select the proxy address_ \(http://127.0.0.1:8080\).
To do so, _power on Burp --&gt;_ _turn off Intercept --&gt; in MobSB HTTPTools select the request_ --&gt; press "**Send to Fuzzer**" --&gt; _select the proxy address_ \([http://127.0.0.1:8080\](http://127.0.0.1:8080\)\).
Once you finish the dynamic analysis with MobSF you can press on "**Start Web API Fuzzer**" to **fuzz http requests** an look for vulnerabilities.
@ -650,7 +646,7 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
### OWASP
{% embed url="https://github.com/OWASP/owasp-mstg%0Ahttps://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication" %}
{% embed url="https://github.com/OWASP/owasp-mstg%0Ahttps://mobile-security.gitbook.io/mobile-security-testing-guide/ios-testing-guide/0x06g-testing-network-communication" caption="" %}
### Git Repos